General

  • Target

    4f7771816a61eee6220b7e56ffd96e377dc5783b5bb6cba0ee39dbb25b9e4ce6

  • Size

    681KB

  • Sample

    240522-bqx7qaga4w

  • MD5

    bf11911b6520870ace83bf94f86647f1

  • SHA1

    23f7fa2eb9a8f88899fa19dbd6296fdf0d377c57

  • SHA256

    4f7771816a61eee6220b7e56ffd96e377dc5783b5bb6cba0ee39dbb25b9e4ce6

  • SHA512

    5574d6b4ccb2591c0b68c533f7003b246e737ce562da407902cdd79d998a39dd7d607dfaaf2b16b02c261a4c5733eb91cf2e54ebe9e384bb1416a89eb87d6468

  • SSDEEP

    12288:UvbDA/K+AhaGMeXBCr4H8HqdaWluvNBtYSBmxmKVdBkhmY8RVp+InboA:gkBvGVs4vdRKHYSoxRSmYG7bl

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7112515810:AAFghL07X0tlIBZbY77j9J8dN968K82ybQU/

Targets

    • Target

      4f7771816a61eee6220b7e56ffd96e377dc5783b5bb6cba0ee39dbb25b9e4ce6

    • Size

      681KB

    • MD5

      bf11911b6520870ace83bf94f86647f1

    • SHA1

      23f7fa2eb9a8f88899fa19dbd6296fdf0d377c57

    • SHA256

      4f7771816a61eee6220b7e56ffd96e377dc5783b5bb6cba0ee39dbb25b9e4ce6

    • SHA512

      5574d6b4ccb2591c0b68c533f7003b246e737ce562da407902cdd79d998a39dd7d607dfaaf2b16b02c261a4c5733eb91cf2e54ebe9e384bb1416a89eb87d6468

    • SSDEEP

      12288:UvbDA/K+AhaGMeXBCr4H8HqdaWluvNBtYSBmxmKVdBkhmY8RVp+InboA:gkBvGVs4vdRKHYSoxRSmYG7bl

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks